1. Field of the Invention
The present invention relates to computerized database systems, and more particularly to a method and an apparatus for modularizing security profiles for users of an enterprise resource planning system including a database, wherein the security profiles specify actions that the user is allowed to perform on the database.
2. Related Art
Almost every function performed by a business can be more effectively managed by using an enterprise resource planning system (ERP) to keep track of data associated with the function. ERPs are presently used to keep track of business functions such as finances, taxes, inventory, payroll, planning. Some ERPs additionally allow sharing of data across organizational units, which can greatly improve information flow through a company. However, providing such sharing can significantly complicate the process of ensuring security for the underlying database system. (Note that ERPs store data in underlying databases, and the term ERP is used interchangeably with the term database in this specification.)
This problem is complicated by the common use of distributed computing systems to implement ERPs within corporations. These distributed computing systems spread out computational and data storage resources across computer networks to a large number of geographically separate computing nodes. Consequently, a distributed computing system exposes sensitive data to greater risk of loss, unauthorized modification and unauthorized access than exists in a more centralized computing system.
Techniques presently used to provide security in ERPs (database systems) are not well adapted to control security in such readily accessible and widely distributed database systems. Some existing security systems implement security by providing a security profile for each user of the database system. A security profile specifies certain actions (or activity types) that a user is allowed to perform on the database. Each user is assigned a specific security profile, and each user is only allowed to perform the actions specified in the security profile.
System administrators are typically given the responsibility to create and assign security profiles. This procedure involves significant risks in a distributed computing environment, where potentially hundreds of system administrators, located at different sites within a corporation, are charged with the task of assigning security profiles to users. It becomes almost impossible to exercise control over security in such an environment without unreasonably hindering access to the database system. A system administrator in a small branch office can potentially give a low-level clerk access to the secret corporate information.
Furthermore, without some centralized system for security control it is almost impossible to exercise control over security for a particular business area or a particular business function. In order to determine what users have access to a particular type of information, it may be necessary to scan through security profiles for all users across all nodes of a distributed system.
Additionally, the task of managing security is presently in the hands of system administrators, who maintain system security by deciphering cryptic information and inputting cryptic commands into a database security system. Business managers, who are not familiar with this cryptic information, cannot readily oversee the work of security administrators. Thus, a critical oversight function is lacking.
What is needed is a security system for a database system that allows database security to be controlled within each organizational unit of a business, while at the same time allowing accesses by users across business area boundaries.
Additionally, what is needed is a system for maintaining database security that allows a business manager to effectively visualize and manipulate database security without extensive training in cryptic computer formats and commands.